Characteristics of Internet Background Radiation - UNC Computer ...

More documents

Recommendations

Info

two short binary messages. "ftp://bla:bla@:/bot.exe 0" On the Class A network, however, we do not see a lot of port 2745 activities. Interestingly, we see several source hosts that attempt to upload Windows executables. We also see many hosts that close the connection after exchange of an initial message. On port 4751, in some cases we see binary upload after echoing a header, similar to what happens on port 3721, but in most cases we receive a cryptic 24-byte message, and are unable to elicit further response by echoing. TCP Port 1981/4444/9996: (Exploit Follow-Ups): While worms such as CodeRed and Slammer are contained completely within the buffer-overrun payload, several of the other worms such as Blaster and Sasser infect victim hosts in two steps. First, the buffer-overrun payload carries only a piece of “shell code” that will listen on a particular port to accept further commands; Second, the source then instructs the shell code to download and execute a program from a remote host. For example, on port 4444, the follow-up port for the Blaster worm, we often see: tftp -i GET msblast.exe start msblast.exe msblast.exe Similarly, on port 1981 (Agobots) and 9996 (Sasser) we see sequences of shell commands to download and execute a bot.exe. In contrast, there is a different kind of shell code called “reverse shell” which does not listen on any particular port, but instead connects back to the source host (“phone home”). The port on the source host can be randomly chosen and is embedded in the shell code sent to the victim. The Welchia worm uses a reverse shell (though its random port selection is flawed). This makes it much harder to capture the contents of follow-up connections, because 1) we will have to understand the shell code to find out the “phonehome” port; and 2) initiating connections from our honeypots violates the policy of the hosting networks. empty). UDP Port 53: We expected to see a lot of DNS requests, but instead, find sources sending us non-DNS (or malformed) packets as shown below: 20:27:43.866952 172.147.151.249.domain > 128.3.x.x.domain: [udp sum ok] 258 [b2&3=0x7] [16323a] [53638q] [9748n] [259au] Type26904 (Class 13568)? [|domain] (ttl 115, id 12429, len 58) 0x0000 (...) 0x0010 xxxx xxxx 0035 0035 0026 xxxx 0102 0007 ................ 0x0020 d186 3fc3 2614 0103 d862 6918 3500 d54c ..?.&....bi.5..L 0x0030 8862 3500 cb1f ee02 3500 .b5.....5. We do not know what these packets are. These requests dominate UDP packets observed in the LBL and UW (I,II) networks. Table 8 provides a summary of the DNS activity observed in the Class A network during a 24 hour trace showing a more diverse activity. Much like the UW and LBL networks, sources sending malformed DNS requests dominate. However, in terms of packet counts other queries are substantial. We suspect these are possibly due to misconfigured DNS server IP addresses on hosts. These queries are sent to various destination IP addresses and originate from various networks. Hence it seems unlikely that these are a result of stale DNS entries. The biggest contributor in terms of volume are standard A queries that resolve IP address for domain names. The SOA packets are “Start of Authority” packets used to register domain authorities. We observed 45 sources (out of total 95) registering different domain authorities in BGC.net. Other queries include PTR queries (used for reverse DNS lookups), SRV records (used to specify locations of services) and AAAA queries (IPv6 name resolution). Type Num packets Num sources Malformed packets 5755 3616 Standard (A) queries 10139 150 Standard query (SOA) 4059 95 Standard query (PTR) 1281 27 DNS Standard query SRV packets 785 20 DNS Standard query AAAA packets 55 16 DNS Standard unused packets 739 3 DNS Standard unknown packets 1485 3 Table 8: Summary of DNS activity seen in the Class A (24 hours) UDP Port 137: The activities are dominated by NetBIOS standard name queries (probes). UDP Port 1026, 1027 (Windows Messenger Pop-Up Spam): These appear as UDP packets with source port 53 and destination port 1026 (or 1027). While this port combination typically connotes a DNS reply, examination of packet contents reveal that they are in fact DCE/RPC requests that exploit a weakness in the Windows Messenger API to deliver spam messages to unpatched Windows desktops [40]. Figure 10 shows a trace of a typical packet. The source IP addresses of these packets are often spoofed, as suggested by the observed ICMP host-unreach backscatter of these attacks in the Class A. The choice of source port 53 is most likely to evade firewalls. 05:23:16.964060 13.183.182.178.domain > xxx.xxx.xxx.xxx.1026: 1024 op5 [4097q] 68/68/68 (Class 0) Type0[|domain] (DF) ... 0x0010 .... .... .... .... .... .... 0400 a880 ................ 0x0020 1001 000a 000a 000a 0000 0000 0000 0000 ................ 0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........ 0x0040 4fb6 e6fc 4ba6 e851 f713 8030 a761 c319 O...K..Q...0.a.. 0x0050 13f0 e28c 0000 0000 0100 0000 0000 0000 ................ 0x0060 0000 ffff ffff 6400 0000 0000 0c00 0000 ......d......... 0x0070 0000 0000 0c00 0000 5265 616c 2057 6f6d ........Real.Wom 0x0080 656e 0000 0400 0000 0000 0000 0400 0000 en.............. 0x0090 596f 7500 3000 0000 0000 0000 3000 0000 You.0.......0... 0x00a0 5741 4e54 2053 4558 3f0d 0a0d 0a46 494e WANT.SEX?....FIN 0x00b0 4420 5553 2041 543a 0d0a 0d0a 0977 7777 D.US.AT:.....www 0x00c0 2exx xxxx xxxx xxxx xx2e 4249 5a0d 0a00 .********.BIZ... Figure 10: Observed Windows Messenger Pop-Up Spam packets. UDP Port 1434: The Slammer worm is still alive and is the only background radiation we see on port 1434. TCP Port 1433: We have not yet built a detailed responder for MS-SQL. It appears that most source hosts are trying to log in with blank passwords. TCP Port 5000: We do not know enough about this port. The port is reserved for Universal Plug-and-Play on Windows Systems, but almost none of requests we see are valid HTTP requests. However, most requests contain a number of consecutive 0x90’s (NOP) and thus look like buffer-overrun exploits. All the ports we examine above exhibit a modal distribution at the application semantic level, i.e., they all contain one or a few dominant elements. The only exception is the DCE/RPC ports, on which we see some diversity, but in some sense, the various exploits on DCE/RPC ports have a single dominant element on a higher level — they target the same vulnerability. As the dominant elements are quite different from what we see in the normal traffic, this suggests that we will be able to filter out the majority of background radiation traffic with a sound classification scheme at
Number of Source Hosts 10000 9000 8000 7000 6000 5000 4000 3000 2000 1000 445/Locator 80/SrchAAA 135/RPC exploit (1464 bytes) 445/Sasser ("lsarpc") 0 0 2 4 6 8 10 12 14 16 Time (day) Figure 11: The Big Exploits (Apr 20 to May 7, 2004), as observed on 5 /C networks at LBL. The source hosts are counted every three hours. the application semantic level. 5.2 Temporal Distribution of Activities We will examine two cases of temporal activity. First, we will look at the exploits with the largest source population and consider the distributional variation over time; Second, we look at the exploits targeted at a particular vulnerability and consider how these exploits evolve and diversify over time. We will focus on the LBL network for this analysis. 5.2.1 The Dominant Exploits Figure 11 shows how the numbers of source hosts vary over the course of 18 days for the four exploits with largest source population. The source volumes for the SrchAAA and Locator exploits are relatively stable and close to each other over time. This is not surprising because these exploits are likely coming from the same worm, as we will see in Section 6.2. The other two exploits, Exploit1464 and Sasser, show much a wider range of source volume dynamics — this is especially true for Exploit1464, which temporarily retreated to a much smaller scale around April 30th. All four exploits demonstrate a strong diurnal pattern, with obvious peaks at local time noon. We do not have good explanations for this pattern. For SrchAAA, Locator, and the Sasser exploits, the peak might be due to hosts being turned on at daytime and doing local-biased search. However, for Exploit1464, the steep narrow peaks lead us to believe they could be caused by the scanning mechanism itself. 5.2.2 DCE/RPC Exploits DCE/RPC exploits that target the Microsoft DCOM RPC vulnerability [37] present an interesting case of a single well-known vulnerability being used and reused by various worms and/or autorooters. This vulnerability is particularly attractive because it exists on every unpatched Windows 2000/XP system, in contrast to, e.g. vulnerabilities that exist only on IIS or SQL servers. We have seen quite a few different exploit payloads in this data. There are at least 11 different payload lengths. This does not appear to be result of intentional polymorphism, for two reasons: 1) from almost every single source IP we see only one payload length; and 2) it would be easy to vary the length of payload by simply inserting NOP’s if the adversary wanted to incorporate some polymorphism. Thus we infer that the diversity of payloads is not due to deliberate polymorphism but due to different code bases. While the payloads themselves might not be very interesting, since the diversity is likely due to the various “shell code” they carry, the diversity offers us an opportunity to look at the rising and ebbing of different exploit programs. Without a robust way to cluster payloads by contents (payloads of same length sometimes differ on tens to hundreds bytes and the differences are not merely byte shifting), we choose to cluster the exploits by lengths and the ports on which they appear, including port 135/1025 and the Epmapper pipes on port 445/139. Under this scheme, we see more than 30 different exploit types. We select 9 of the popular exploits and consider how the number of source IP addresses for each exploit varies over time during April 2004. The exploits have 4 different payload lengths: 1448, 1464, 2972, and 2904, and are seen on port 135, 1025, and 445. We observe strong temporal correlation among exploits of the same length for lengths 2792 and 2904, while this is not the case for lengths 1448 and 1464. The four exploits also show some correlation in terms of activity to port 135 and to port 445, which is due to the same source probing both ports. We also find that even for multiple sources, activity for particular port/length pairs tends to come in bursty spikes, suggesting synchronized scanning among the sources. 6. CHARACTERISTICS OF SOURCES In this section we examine the background radiation activities in terms of source hosts. We associate various activities coming from the same source IP to construct an “activity vector” for each source IP, which we then examine in three dimensions: 1) across ports, 2) across destination networks, and 3) over time. There is a caveat about identifying hosts with IP addresses: due to DHCP, hosts might be assigned different addresses over time. A study [21] concluded that “IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours”. However, without a better notion to identify hosts, we will still use IP addresses to identify hosts, while keeping this caveat in mind. 6.1 Across Ports Associating activities across ports sometimes gives us a significantly better picture of a source’s goals. This especially helps with analyzing puzzling activities, because it puts behavior on individual ports in the context of collective activity. For example, simply looking at an RPC exploit may not readily reveal the worm or autorooter that sends it, but once we see a follow-up to port 4444 with "tftp msblast.exe", we know that the earlier exploit comes from Blaster. Table 9 provides a summary of the top multi-port scanning episodes seen in the four networks. The most common is sources that scan both 139 and 445. Many viruses that exploit Net- BIOS/SMB (CIFS) exhibit this behavior since for propagation the ports can be used interchangeably. This next most common multiport source behavior exploits the Microsoft DCE/RPC vulnerability [37] both via port 135 and by connecting to the Epmapper pipe through port 139 and port 445 during the same episode. These are likely variants of Welchia. Most port 5000 connections are empty and the rest small portion of them look like buffer overrun exploits. We also find Agobot variants that occasionally target these services. They connect to the SAMR pipe through CIFS to obtain registry information, following the sequence described in Figure 4 and drop the file mdms.exe into one of the startup folders. The least common profiles are used exclusively by Agobot variants (I, II and III).
Page 1 and 2: ¡ ¢ £ Characteristics of Interne
Page 3 and 4: Effectiveness of Filter (% reductio
Page 5 and 6: -> SMB Negotiate Protocol Request
Page 7 and 8: Number of Packets Per IP (per hour)
Page 9: GET http://dc.tickerbar.net/tld/pxy
Page 13 and 14: Mar 29 Mar 30 Apr 29 1-Day 1-Month

Characteristics of Internet Background Radiation - UNC Computer ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?